sanitizeParams does not filter out non public fields

[thoaif]

Problem / motivation

sanitizeParams function does not filter out fields inside query params. This presents a challenge in "hiding" fields in from public access, since an attacker can still query using those fields and gain privileged information.

I am not exactly sure what intention of "fields" setting is, but I sure do hope no one is using them with the assumption that access is restricted to those fields

Example

Suppose I have the following:

module.exports = {
  name: 'example',

  settings: {
    fields: [ '_id' ],
    entityValidator: {
      hiddenField: { type: 'boolean', default: true },
    },
  }
}

I can still use hiddenField in actions with query param. For example:

call example.list --query '{"hiddenField": false}'

will list out all the fields where hiddenField is false. Ideally, querying in this manner should not work.

Suggested Solution

Inside sanitizeParams function after parsing, one could filter by:

if (p.query) {
  const filteredQuery = Object.fromEntries(
    Object.entries(p.query)
      .filter(([field, val]) => 
         this.settings.fields.includes(field)
       )
   )
p.query = filteredQuery;
}